AWS CDK "is not authorized to perform sts:AssumeRole on cdk-...-deploy-role" in CI
Modern CDK deploys by assuming the bootstrap deploy/file-publishing roles (cdk-<qualifier>-deploy-role-...). The CI identity (an OIDC role or access key) is not trusted by those roles, so STS denies the assume call.
What this error means
cdk deploy fails with "current credentials could not be used to assume \"arn:aws:iam::...:role/cdk-hnb659fds-deploy-role-...\"" or an explicit "is not authorized to perform: sts:AssumeRole" from STS.
current credentials could not be used to assume
'arn:aws:iam::123456789012:role/cdk-hnb659fds-deploy-role-123456789012-us-east-1',
but are for the right account. Proceeding anyway.
... User: arn:aws:sts::123456789012:assumed-role/gha-deployer/... is not authorized
to perform: sts:AssumeRole on resource: ...cdk-hnb659fds-deploy-role...Common causes
The deploy role trust policy excludes the CI principal
The bootstrap roles trust only a configured set of principals; your OIDC role ARN is not in the trust policy, so AssumeRole is denied.
The CI role lacks sts:AssumeRole permission
Even with trust set, the CI identity's own policy may not allow sts:AssumeRole on the cdk-* roles.
How to fix it
Trust the CI principal when bootstrapping
- Re-bootstrap with
--trustpointing at the CI deployer role/account. - Confirm the OIDC role ARN matches the trust policy on the cdk-* roles.
- Re-run the deploy so AssumeRole succeeds.
cdk bootstrap aws://123456789012/us-east-1 \
--trust arn:aws:iam::123456789012:role/gha-deployer \
--cloudformation-execution-policies arn:aws:iam::aws:policy/AdministratorAccessGrant the CI role assume permission
Allow the CI identity to assume the cdk-* roles in its own IAM policy.
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::123456789012:role/cdk-*"
}How to prevent it
- Bootstrap with
--trustfor every CI deployer principal. - Use OIDC role ARNs consistently and keep trust policies in sync.
- Re-bootstrap when the CI deployer role changes.